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Preface 



The Department of Homeland Security (DHS) Office of Inspector General was 
established by the Homeland Security Act of 2002 (Public Law 107-296) by amendment 
to the Inspector General Act of 1978. This is one of a series of audit, inspection, and 
special reports prepared as part of our oversight responsibilities to promote economy, 
efficiency, and effectiveness within the department. 

This report addresses the strengths and weaknesses of the implementation of technical 
and information security policies and procedures at DHS components located at Los 
Angeles International Airport, California. It is based on interviews with employees and 
officials of relevant agencies and institutions, direct observations, and reviews of 
applicable documents. 

The recommendations herein have been developed to the best knowledge available to our 
office, and have been discussed in draft with those responsible for implementation. It is 
our hope that this report will result in more effective, efficient, and economical 
operations. We express our appreciation to all of those who contributed to the 
preparation of this report. 




Richard L. Skinner 
Inspector General 
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Department of Homeland Security 
Office of Inspector General 

Executive Summary 

As part of our Technical Security Evaluation Program, we 
evaluated technical and information security policies and 
procedures of Department of Homeland Security components at 
Los Angeles International Airport. Customs and Border 
Protection, Immigration and Customs Enforcement, Transportation 
Security Administration, and the United States Coast Guard 
operate information technology systems or have a presence at this 
airport in support of Homeland Security operations. 

Our evaluation focused on how these components had 
implemented computer security operational, technical, and 
management controls for their information technology assets at this 
site. We performed onsite inspections of the areas where these 
assets were located, interviewed Department of Homeland Security 
staff, and conducted technical tests of internal controls. We also 
reviewed applicable policies, procedures, and other relevant 
documentation. 

The information technology security controls implemented at this 
site have deficiencies that, if exploited, could result in the loss of 
confidentiality, integrity, and availability of their information 
technology systems. Specifically, these components need to 
improve their physical security operational controls for 
telecommunications equipment and servers. These components 
also could improve their technical controls by 

Additionally, these components need to improve their management 
controls by upgrading documentation to include information 
technology assets at Los Angeles International Airport. 
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Background 



We designed our Technical Security Evaluation Program to 
provide senior Department of Homeland Security (DHS) officials 
with timely information on whether they had properly 
implemented DHS information technology (IT) security policies at 
critical sites. Our program is based on DHS Sensitive Systems 
Policy Directive 4300 A (DHS Directive 4300A), which applies to 
all DHS components. It provides direction to managers and senior 
executives regarding the management and protection of sensitive 
systems. DHS Directive 4300A also outlines policies relating to 
the operational, technical, and management controls that are 
necessary for ensuring confidentiality, integrity, availability, 
authenticity, and non-repudiation within the DHS IT infrastructure 
and operations. A companion document — the DHS 4300A 
Sensitive Systems Handbook (DHS 4300A Handbook) — provides 
detailed guidance on the implementation of these policies. 

DHS IT security policies are organized under operational, 
technical, and management controls. According to DHS Directive 
4300A, these controls are defined as follows: 

• Operational Controls - Focus on mechanisms 
primarily implemented and executed by people. These 
controls are designed to improve the security of a 
particular system, or group of systems. These controls 
require technical or specialized expertise and often rely 
on management and technical controls. 

• Technical Controls - Focus on security controls 
executed by IT systems. These controls provide 
automated protection from unauthorized access or 
misuse. They facilitate detection of security violations, 
and support security requirements for applications and 
data. 
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• Management Controls - Focus on managing both the 
IT security system and system risk. These controls 
consist of risk mitigation techniques and concerns 
normally addressed by management. 

Customs and Border Protection (CBP), Immigration and Customs 
Enforcement (ICE), Transportation Security Administration 
(TSA), and the United States Coast Guard (USCG) each have 
activities at Los Angeles International Airport (LAX). They rely 
on a range of IT assets to support their respective missions. As a 
Category X airport, LAX is classified among those airports with 
the largest number of enplanements. 1 

CBP's activities at LAX include processing passengers and 
baggage on arriving international flights. CBP staff at LAX use 
their systems to access various applications, including the Treasury 
Enforcement Communications System (TECS). 2 

ICE's Office of Investigations at the El Segundo Field Office 
supports operations at LAX that focus on a broad array of national 
security, financial, and smuggling violations, for example, 

• Illegal arms exports, 

• Financial crimes, 

• Commercial fraud, 

• Human trafficking, 

• Narcotics smuggling, 

• Child pornography /exploitation, and 

• Immigration fraud. 

Using their unique legal authorities, ICE special agents also 
conduct investigations aimed at protecting critical infrastructure 
industries that are vulnerable to sabotage, attack, or exploitation. 

TSA's activities include screening passengers and baggage on all 
departing flights at LAX. In support of these activities, TSA has 
operations in several buildings at LAX, and TSA staff use Digital 
Subscriber Lines circuits to access computer systems. 



1 There are five categories of airports — X, I, II, III, and IV. Category X airports have the largest number of 
enplanements and category IV airports have the smallest number. 

2 TECS is a CBP mission-critical law enforcement application designed to identify people and businesses 
suspected of or involved in violation of federal law. TECS is also a communications system permitting 
message transmittal among DHS law enforcement offices and other national, state, and local law 
enforcement agencies. 
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USCG personnel at LAX, designated Air Station Los Angeles, 
maintain search and rescue helicopters 24 hours a day, 365 days a 
year. They are responsible for protecting the coastal area of 
Southern California from Dana Point to Morro Bay. Additionally, 
USCG helicopters conduct homeland security patrols for the Ports 
of Los Angeles, Long Beach, and Hueneme. Its responsibilities 
include the over-water approach and departure corridors for LAX 
and the Channel Islands National Parks. 
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Results of Review 



CBP Did Not Comply Fully With DHS Sensitive System Policies 

CBP could strengthen operational, technical, and management controls for 
its servers, routers, and switches operating at LAX. For example, CBP 
could improve business continuity and physical security, and ensure that 

Additionally, CBP should take actions to ensure that its IT assets are 
scanned on a regular basis. Further, required system documentation 
should be updated to include CBP's IT assets at LAX. Collectively, these 
deficiencies could place at risk the confidentiality, integrity, and 
availability of the data stored, transmitted, and processed by CBP at LAX. 

Operational Controls 

Onsite implementation of operational controls that did not conform 
fully to DHS policies included 

Additionally, CBP needs to improve its 

Communications Redundancy 

CBP experienced a network outage that disrupted its operations for 
more than 10 hours and affected more than 17,000 passengers on 
August 11, 2007. 3 This outage resulted in significant delays in 
processing arriving international passengers, causing the terminals 
to fill with passengers waiting to be processed. Because of this 
situation, the LAX fire marshal restricted the number of passengers 
that CBP could stage in the waiting areas and jet ways. 
Consequently, CBP staff at LAX were forced to keep many 
passengers on board aircraft for hours following international 
flights. Additionally, CBP staff were forced to reroute some 
flights to a nearby airport. This outage was exacerbated by an old 
IT infrastructure, which did not have network or power redundancy 
at LAX. 

Subsequently, CBP has taken steps to ensure communications 
redundancy at LAX. Specifically, CBP added circuits and 
hardware to remove a single point-of-failure deficiency that 
previously existed. CBP also established a new 



3 Our draft report, Customs and Border Protection Did Not Manage Effectively a Network Outage at Los 
Angeles International Airport, will provide further information on the outage. 
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telecommunications closet in a second building at LAX. These 
actions ensure that CBP users at LAX will not be limited to one 
communications pathway when accessing CBP systems. 

Business Continuity 

CBP's business continuity capability needs to be strengthened at 
LAX. For example, 



CBP has implemented uninterruptible power supplies (UPS) 



Further, installing UPS devices for telecommunications equipment 
is not enough to ensure that CBP workstations will be in operation 
following a power failure. 



However, CBP has taken steps to ensure that they will be able to 
process passengers during a communications or power outage that 
lasts for a long duration. 



According to the DHS 4300A Handbook: 

"DHS must have the capability to ensure continuity of 
essential functions under all circumstances." 
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Physical Security Controls 

CBP has taken steps to place its communications assets in locked 
cabinets within areas controlled by CBP. These actions will help 
secure CBP's IT assets at LAX from damage. 



Figure 1: CBP replaced the old rack (left) with a new locking cabinet (right) 

However, CBP has not completed this conversion at all locations at 
LAX. 



According to the DHS 4300A Handbook: 

"Controls for deterring, detecting, restricting, and 
regulating access to sensitive areas shall be in place and 
will be sufficient to safeguard against possible loss, theft, 
destruction, damage, hazardous conditions, fire, malicious 
actions, and natural disasters." 

Environmental Controls 

During our September 2007 walk-through of DHS facilities, we 
noted that many of the CBP telecommunications rooms had 
temperatures exceeding 70 degrees Fahrenheit. While CBP is 
placing this equipment in cabinets that contain fans, there are no 
temperature sensors in the cabinets to automatically turn on the 
fans or to alert CBP staff if temperature exceeds 70 degrees 
Fahrenheit. 
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According to the DHS 4300A Handbook: 



"Temperatures in computer storage areas should be held 
between 60 and 70 degrees Fahrenheit." 



Additionally, at LAX, CBP is relying on the facility's fire 
suppression system. However, there were also fire extinguishers in 
two telecommunications rooms that either were not charged or had 
not been inspected within 12 years. Fire extinguishers that will not 
perform could cause CBP staff to waste valuable time during an 
emergency. 

Further, in several of the server and telecommunications rooms 
there was poor electrical wiring, misplaced ceiling tiles, dust, and 
storage of non-IT assets. While we are aware that construction is 
ongoing, CBP should take steps to ensure that its IT assets will not 
be accidentally damaged during this transition period. 




Figure 2: Missing ceiling tiles and inadequate storage at LAX. 

Technical Controls 

CBP's implementation of technical controls at LAX that did not 
conform fully to DHS 
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Inadequate Network Monitoring 



Specifically, CBP has centralized 
its network monitoring activities 



Unsupported Operating System 

CBP is operating six refugee fingerprint processing machines at 
LAX. At least one of these machines has an unsupported operating 
system. CBP is now working with the vendor to upgrade the 
operating systems on the refugee fingerprint devices at LAX and 
four other airports. 

Operating systems that are not supported by their vendors may not 
receive updates or patches when a vulnerability or exploitation has 
been identified. 

Inadequate Vulnerability Assessment 
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According to DHS Directive 4300A: 

"Components shall conduct vulnerability assessments 
and/or testing to identify security vulnerabilities on IT 
systems containing sensitive information annually or 
whenever significant changes are made to the IT systems. 
This should include scanning for unauthorized wireless 
devices. Evidence that annual assessments have been 
conducted should be included with Security Assessment 
Reports (SAR)." 

Inadequate Access Control 

CBP could strengthen the access controls on its servers at LAX. 



According to the DHS 4300A Handbook, 

"Passwords shall be at least 8 characters in length . . . shall 
be changed or expire in 180 days or less." 



Automated systems are vulnerable to fraudulent or malicious 
activity by anyone with the authority or capability to access 
information not required to perform their job-related duties. 

According to the DHS 4300A Handbook, 

"To protect sensitive information and limit the damage that 
can result from accident, error, or unauthorized use, the 
principle of least privilege must be applied. The principle 
of least privilege requires that users be granted the most 
restrictive set of privileges (or lowest clearance) needed for 
performance of authorized tasks — i.e., users should be able 
to access only the system resources needed to fulfill their 
job responsibilities." 
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Vulnerable Services 

CBP servers, routers, and switches at LAX have numerous 



increase the risk that CBP 
systems may be compromised by malicious users or external 
attacks. 

According to DHS Directive 4300A: 

"Components shall manage systems to reduce 
vulnerabilities through vulnerability testing, promptly 
installing patches, and eliminating or disabling unnecessary 
services, if possible." 

Further, CBP's switches at LAX were not properly configured to 
prevent an "insider" from gaining unauthorized privileges and 
information. 

This may allow an attacker to capture login 
credentials and remotely take control of the router and change or 
delete configuration files. 



4 According to the National Institute of Standards and Technology's Threat Assessment of Malicious Code 
and Human Threats (NISTIR 4939), "Insiders are legitimate users of a system. When they use that access 
to circumvent security, that is known as an insider attack." 
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According to DHS Directive 4300A: 



A connection protocol such as Secure Shell (SSH) that 
employs secure authentication (two factor, encrypted, key 
exchange, etc.) and is approved by the Component shall be 
used instead." 

Management Controls 

CBP's implementation of management controls at LAX did not 
conform fully to DHS policies. 



These management controls deficiencies 
increase the risk to CBP's IT investments, systems, and data from 
new threats and vulnerabilities for which safeguards have not been 
implemented. 

Far West Field LAN 

CBP's LAN at LAX is part of the FWFL. 5 Starting in September 
2007, CBP upgraded old routers, switches, and circuits at LAX. 
However, CBP has not conducted a new risk assessment to 
determine if there is any potential security risk associated with the 
new infrastructure at LAX. 

Additionally, CBP has not updated Trusted Agent - Federal 
Information Security Management Act (TA-FISMA) to include the 
new infrastructure at LAX. Specifically, LAX LAN is part of the 
FWFL, which is a "tyP e accreditation" system. 6 However, CBP 
has not prepared the necessary attachments to its documentation 
annotating LAX site-specific physical and logical variations 
related to the new infrastructure that CBP had implemented at 
LAX. 



5 The Far West Field LAN system consists of 83 Field LAN systems, including the LAX LAN, connected 
to the CBP Private IP WAN. The Far West Field LANs consists of servers, desktop computers, printers, 
interconnecting wiring, and associated software. Its mission is to support the Field Offices/ Agents with 
applications and technologies in the securing and protection of our Nation's borders. 

6 Type accreditation allows for common security control across sites to be consolidated and for a single 
master certification and authorization to be conducted. 
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According to DHS Directive 4300A: 

"Components shall conduct and document risk assessments 
every three years, when high impact weaknesses are 
identified, or whenever significant changes to the system 
configuration or to the operational/threat environment have 
been made, whichever occurs first." 

According to DHS 4300A Sensitive Security Handbook, 
Attachment D -Type Accreditation: 

"To account for unique physical and logical variations at 
the site level, a description of any differences and the 
associated risks at each site are documented, and the site- 
specific documents are incorporated as attachments or 
appendices to the master C&A package." 

Wireless Local Area Network 

In November 2006, CBP installed a WLAN at LAX to provide 
high-speed mobile data connectivity and wireless coverage to CBP 
agents operating in and around LAX. However, CBP staff at LAX 
did not test the WLAN once it was connected to the CBP network. 
During the time of our visit at LAX, December 2007, CBP staff 
were unable to operate this system because of technical problems. 

According to CBP staff, CBP did not test the WLAN after it was 
connected to the CBP network and does not know if CBP staff 
have ever used this system. Additionally, CBP did not document 
the WLAN in the FWFL SSP. Further, the WLAN was not 
included in CBP's systems inventory, DHS' Trusted Agent FISMA 
(TA-FISMA) reporting tool. 7 

According to the DHS 4300A: 

"Component [Information Systems Security Managers] 
ISSMs shall ensure that a risk assessment is conducted 
whenever any modifications are made to sensitive IT 
systems, networks, or to their physical environments, 
interfaces, or user community. SSPs shall be updated and 
re-certification conducted if warranted." 



7 DHS uses an enterprise management tool, Trusted Agent FISMA, to collect and track data related to all 
Plans of Action and Milestones, including self-assessments, and certification and accreditation data. 
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CBP management cannot be assured that IT systems and data are 
adequately secured unless the various activities leading to 
accreditation are performed and the Designated Accrediting 
Authority (DAA) has accepted in writing the risks associated with 
operating the systems. 

Miscellaneous Issue 

CBP operates 1,900 IT devices at various facilities throughout the 
country that are not regularly scanned for vulnerabilities. 



Further, the CBP SOC maintains a list of an 
additional 1,048 devices that it has excluded from being scanned 
for vulnerabilities. During the course of this evaluation, CBP 
started requiring vulnerability assessments 

Finally, 

according to CBP staff, they have developed a new approach to 
vulnerability assessments 

starting in February 2008. 

These deficiencies increase the risk that CBP IT systems used at 
LAX and other locations are vulnerable . CBP is 

at increased risk that a device may be open to attack if it does not 
perform vulnerability assessments regularly. 

Recommendations 

We recommend that the CBP Chief Information Officer (CIO) take 
the following actions for CBP activities at LAX: 

Recommendation #1: Implement business continuity of 
operations capability for CBP facilities at LAX, including the 
installation of a backup power supply. 

Recommendation #2: Implement stronger physical security and 
environmental controls to protect CBP's IT assets from possible 
loss, theft, destruction, accidental damage, hazardous conditions, 
fire, malicious actions, and natural disasters. 

Recommendation #3: Use a connection protocol that employs 
secure authentication. 
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Recommendation #4: Apply the necessary operating system 
upgrades. 

Recommendation #5: Close all unnecessary ports from the 
servers, routers, and switches. 

Recommendation #6: Update the FWFL SSP and perform risk 
assessments whenever there are significant changes to the system. 

Recommendation #7; Regularly perform vulnerability 
assessments on IT systems containing sensitive information, as 
required by DHS Directive 4300A. 

Management Comments and OIG Analysis 

We obtained written comments on a draft of this report from the 
DHS Chief Information Officer. We have included a copy of the 
comments in their entirety at Appendix B. 

In the comments, CBP concurred with recommendations one, two, 
and four through seven. These recommendations will be 
considered resolved but open pending verification of all planned 
actions. 

CBP did not concur with recommendation three. 



We maintain that CBP should comply with DHS 4300A and use a 
secure communications protocol. 
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ICE Did Not Comply Fully With DHS Sensitive System Policies 



ICE could strengthen operational, technical, and management policies for 
the server, router, and switches at the El Segundo Field Office. For 
example, ICE could enhance physical security of its server room, 

Additionally, required system documentation 
should be updated to include ICE's IT assets at the El Segundo Field 
Office. Collectively, these deficiencies could place at risk the 
confidentiality, integrity, and availability of the data stored, transmitted, 
and processed by ICE at El Segundo. 

Operational Controls 

Onsite implementation of operational controls that did not conform 
fully to DHS policies included physical security and environmental 
controls. Specifically, ICE could better protect its IT assets by 
restricting access to ICE's server room or by placing the IT assets 
in a locked cabinet. Additionally, ICE IT assets are at risk of 
damage or malfunctioning because of the absence of an adequate 
HVAC system in its server room. These environmental and 
physical security controls deficiencies place the IT assets at the El 
Segundo Field Office at increased risk from unauthorized access 
and damage. 

Physical Security and Environmental Controls 

The ICE suite at El Segundo was not properly secure to prevent 
unauthorized access. 



The El Segundo Field Office of Investigations supports ICE operations at LAX. 
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ICE also needs better physical security controls to limit access to 
its server room, which is located next to the main entrance to ICE 
office space. However, the server room door is always left open 
because the room does not have an adequate HVAC system. For 
example, the server room temperature was 76.6 degrees Fahrenheit 
at the time of our visit. Additionally, anyone entering the server 
room would have access to ICE back-up tapes, server, router, and 
switches because they are not stored in a locked cabinet. Figure 4 
illustrates how the server room is not restricted, and the door is left 
open because of the absence of an HVAC system. Figure 5 shows 
the ICE IT assets that are not in a locked cabinet. 




Figure 4: ICE server room with open door 
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Figure 5: ICE server not secured in a locked cabinet 



According to the DHS 4300A Handbook: 

"To protect sensitive information and limit the damage that 
can result from accident, error, or unauthorized use, the 
principle of least privilege must be applied. The principle 
of least privilege requires that users be granted the most 
restrictive set of privileges (or lowest clearance) needed for 
performance of authorized tasks — i.e., users should be able 
to access only the system resources needed to fulfill their 
job responsibilities." 

"Controls for deterring, detecting, restricting, and 
regulating access to sensitive areas shall be in place and 
will be sufficient to safeguard against possible loss, theft, 
destruction, damage, hazardous conditions, fire, malicious 
actions, and natural disasters." 

"Temperatures in computer storage areas should be held 
between 60 and 70 degrees Fahrenheit." 

Technical Controls 

ICE's implementation of technical controls that did not conform 
fully to DHS policies includes operating a server that was running 
an unsupported operating system. Additionally, ICE's server, 
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router, and switches were not properly configured to prevent an 
insider from gaining unauthorized privilege and information. 
These deficiencies increase the risk that ICE IT systems used at El 
Segundo Field Office are vulnerable to internal attacks. 

Unsupported Operating System 

An unsupported operating system was running on ICE's server at 
the El Segundo Field Office. 

Operating systems that are 
not supported by their vendors may not receive updates or patches 
when a vulnerability or exploitation has been identified. 

Access Controls 

ICE could strengthen its access controls at the El Segundo Field 
Office. Specifically, users had administrative access to multiple 
files and directories. Additionally, shared administrative login 
accounts were in place, allowing multiple people to use the same 
account for system access. 

This configuration increases the risk of loss or theft of ICE 
mission- sensitive data. For example, unauthorized personnel may 
have the ability to write, alter, or delete data that reside on shared 
resources. 

According to the DHS 4300A Handbook: 

"To protect sensitive information and limit the damage that 
can result from accident, error, or unauthorized use, the 
principle of least privilege must be applied. The principle 
of least privilege requires that users be granted the most 
restrictive set of privileges (or lowest clearance) needed for 
performance of authorized tasks — i.e., users should be able 
to access only the system resources needed to fulfill their 
job responsibilities." 

Vulnerable Services 



An attacker could 
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potentially exploit this vulnerability to gain a list of usernames and 
other sensitive information. 

Further, ICE's switches at El Segundo were not properly 
configured to prevent an insider from gaining unauthorized 
privileges and information. 

This may allow an attacker to 
capture login credentials, remotely take control of the devices, and 
change or delete configuration files. 

According to DHS Directive 4300A: 

"Telnet shall not be used to connect to any DHS computer. 
A connection protocol such as Secure Shell (SSH) that 
employs secure authentication (two factor, encrypted, key 
exchange, etc.) and is approved by the Component shall be 
used instead." 

Management Controls 

ICE' s implementation of management controls at El Segundo did 
not conform fully to DHS policies. For example, ICE did not 
provide a system security plan that included the IT assets located at 
the El Segundo Field Office. Additionally, ICE's server and 
telecommunications equipment uses the CBP backbone for 
connectivity. However, ICE did not have an interconnection 
security agreement (ISA) between ICE and CBP for use of this 
system connectivity. These management controls deficiencies 
increase the risk to ICE's IT investments, systems, and data from 
new threats and vulnerabilities for which safeguards have not been 
implemented. 

According to the DHS 4300A: 

"Component [Information Systems Security Managers] 
ISSMs shall ensure that a risk assessment is conducted 
whenever any modifications are made to sensitive IT 
systems, networks, or to their physical environments, 
interfaces, or user community. SSPs shall be updated and 
re-certification conducted if warranted." 
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According to the DHS 4300A Handbook: 



"Components shall document interconnections with other 
external networks with an Interconnection Security 
Agreement (ISA)." 

"Interconnections between DHS Components shall require 
an ISA when there is a difference in the security 
categorizations for confidentiality, integrity, and 
availability for the two networks. IS As shall be signed by 
both DAAs or by the official designated by the DAA to 
have signatory authority." 

Recommendations 

We recommend that the ICE CIO take the following actions for 
ICE activities at LAX: 

Recommendation #8: Implement stronger physical security to 
protect ICE's IT assets from possible loss, theft, destruction, 
accidental damage, hazardous conditions, fire, malicious actions, 
and natural disasters. 

Recommendation #9: Provide an adequate HVAC system for the 
server room or obtain a waiver from the DAA. 

Recommendation #10: Use a connection protocol that employs 
secure authentication. 

Recommendation #11: Apply the necessary operating system 
upgrades to the server. 

Recommendation #12: Eliminate or disable unnecessary ports 
from the server and router. 

Recommendation #13: Establish and maintain the required 
interconnection security agreements. 

Recommendation #14: Include the IT assets at the El Segundo 
Field Office in the system security plan for the Special Agent in 
Charge, West Region. 
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Management Comments and OIG Analysis 

In the comments, ICE concurred with recommendations 8 through 
12. These recommendations will be considered resolved but open 
pending verification of all planned actions. ICE did not concur 
with recommendations 13 and 14. 

According to ICE, the deficiency associated with recommendation 
13 is not applicable as both systems would have an aggregate 
security categorization of 'high.' 



Additionally, according to ICE, the deficiency associated with 
recommendation 

However, according to DHS 4300A, Attachment D, 

Type Accreditation: 

"The documentation contains two critical types of 
information: 

o Site-specific details (e.g., deviations to 

functionality, configurations, and physical controls) 
o Site-specific risk analysis (e.g., additional risks that 
are perpetrated by the deviations at the site)" 



We maintain that ICE should 
comply with DHS 4300A and include the El Segundo Field Office 
in the appropriate system security plan. 
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TSA Did Not Comply Fully With DHS Sensitive System Policies 



TSA could strengthen operational, technical, and management controls for 
its servers, router, and switches operating at LAX. For example, TSA 
could remove excess storage from its server room, implement fire 
suppression, and ensure that the most recent software security patches are 
installed on its server, router, and switches. Additionally, not all TSA IT 
resources at LAX are included in the TSA system inventory. Collectively, 
these deficiencies could place at risk the confidentiality, integrity, and 
availability of the data stored, transmitted, and processed by TSA at LAX. 

Operational Controls 

Onsite implementation of operational controls that did not conform 
fully to DHS policies included excess storage near computer 
equipment and inadequate environmental controls. Specifically, 
TSA could better protect its IT assets by ensuring that the 
immediate areas around the server and communication equipment 
are not used for general storage. 

Physical Security 

TSA administrative functions for LAX operations are performed in 
an offsite facility where TSA has several rooms with IT 
equipment. Although, these rooms are behind several locked 
doors, TSA needs to improve its physical security. For example, 
the server room at this location was being used to store new 
equipment as well as old equipment prior to disposal. There were 
also two unbraced shelves that could hinder access to the TSA 
servers, router, and switches following an earthquake. Figure 6 
illustrates the condition of the TSA server room. 

Additionally, the TSA telecommunications room in the logistics 
department contains a switch and a server that were not in a locked 
cabinet. This room was also used to store some non-IT related 
items. Further, TSA has a switch in another room that also was not 
in a locked cabinet. 

The examples mentioned above increase the risk of accidental loss 
of power or damage to IT resources supporting TSA operations at 
LAX. 
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According to the DHS 4300A Handbook, 

"Controls for deterring, detecting, restricting, and 
regulating access to sensitive areas shall be in place and 
will be sufficient to safeguard against possible loss, theft, 
destruction, damage, hazardous conditions, fire, malicious 
actions, and natural disasters." 




Figure 6: TSA server room used for storage 



Environmental Controls 

TSA also could improve environmental controls for its IT assets. 
For example, the temperature was 76.7 degrees Fahrenheit in the 
telecommunications room in the logistics department. Further, 
TSA was using a portable fan to cool down the switch mounted on 
the wall and the stand-alone server underneath the table. Figure 7 
illustrates the condition of the TSA telecommunications room at 
LAX. 
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Figure 7: Portable fan used to cool switch and server area 

TSA's communications equipment was also at risk of failure 
because of the absence of temperature or humidity sensors in the 
communications rooms. The absence of environmental sensors 
and proper HVAC for IT equipment increases the risk that TSA's 
IT assets may malfunction. 

According to the DHS 4300A Handbook, 

"The condition of the air is important to prevent damage to 
IT equipment." 

Additionally, TSA did not have a fire suppression system in place 
at LAX. Specifically, no water sprinklers or fire extinguishers 
were at the server room or telecommunication closets. The 
absence of an adequate fire suppression system places TSA's IT 
assets at risk of possible loss, destruction, damage, hazardous 
conditions, fire, malicious actions, and natural disasters. As a 
compensating control, TSA has already deployed fire extinguishers 
to resolve this deficiency. 

According to the DHS 4300A Handbook: 

"When a centralized fire suppression system is not 
available, fire extinguishers should be readily available." 
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Technical Controls 



TSA's implementation of technical controls at LAX that did not 
conform fully to DHS policies include inadequate access controls, 
insecure communications protocols, and open ports with known 
vulnerabilities. These deficiencies increase the risk that TSA IT 
systems used at LAX are vulnerable to internal attacks. 

Access Controls 

Configuration management for the TSA server needs to be 
strengthened. Specifically, the Lightweight Directory Access 
Protocol is configured to allow anonymous access to the TSA 
server. As a result, an unauthorized user or a hacker could log in 
to the system without proper credentials. 

Additionally, the Windows built-in user group "EVERYONE" was 
configured to allow full control and access to shared data. This 
may allow an unauthentic ated user to upload malicious code onto a 
shared resource. 

The purpose of access controls is to protect against the 
unauthorized disclosure, modification, or destruction of data 
residing in these systems, as well as the applications themselves. 
Automated systems are vulnerable to fraudulent or malicious 
activity by anyone with the authority or capability to access 
information not required to perform their duties. 

According to the DHS 4300A Handbook: 

"To protect sensitive information and limit the damage that 
can result from accident, error, or unauthorized use, the 
principle of least privilege must be applied. The principle 
of least privilege requires that users be granted the most 
restrictive set of privileges (or lowest clearance) needed for 
performance of authorized tasks — i.e., users should be able 
to access only the system resources needed to fulfill their 
job responsibilities." 

Insecure Communications Protocols 

TSA's switches at LAX were not properly configured to prevent an 
insider from gaining unauthorized privileges and information. For 
example, telnet was being used on a TSA switch at LAX. 
However, telnet does not encrypt login and password credentials. 
This may allow an attacker to capture login credentials and 
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remotely take control of the router and change or delete 
configuration files. 

Additionally, the File Transfer Protocol (FTP) port 21 was active, 
leaving the device vulnerable to unauthorized access. FTP is not 
permitted on DHS systems due to the potential risk when used for 
non-administrative purposes. For instance, just like telnet, FTP 
transmits login and password credentials in clear text. 

According to DHS Directive 4300A: 

"Telnet shall not be used to connect to any DHS computer. 
A connection protocol such as Secure Shell (SSH) that 
employs secure authentication (two factor, encrypted, key 
exchange, etc.) and is approved by the Component shall be 
used instead." 

"File Transfer Protocol (FTP) shall not be used to connect 
to or from any DHS computer. A connection protocol that 
employs secure authentication (two factor, encrypted, key 
exchange, etc.) and is approved by the Component shall be 
used instead." 

Vulnerable Services 

TSA's servers, router, and switches at LAX have numerous open 
ports and services on its system that may not be necessary. For 
example, the following services with known vulnerabilities were 
running: 

• The server was configured to allow Domain Name 
System zone transfers to be performed. This 
potentially poses a security risk of denial of service 
attacks. 

• Web Server was running on a nonstandard port. 

• The version of Internet Information Services running 
on the system is vulnerable to denial of service attacks. 

Additionally, the Null session was configured to allow a user to 
connect to the system without authentication. An attacker could 
potentially exploit the null session to gain a list of usernames and 
other potentially sensitive information. Unnecessary open ports 
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and services increase the risk that TSA systems may be 
compromised by malicious users or external attacks. 

According to DHS Directive 4300A: 

"Components shall manage systems to reduce 
vulnerabilities through vulnerability testing, promptly 
installing patches, and eliminating or disabling unnecessary 
services, if possible." 

Management Controls 

TSA's implementation of management controls at LAX did not 
conform fully to DHS policies. Specifically, not all TSA IT 
resources at LAX are accounted for in its system inventory. For 
example, the logistics server and database are not included in the 
TSA system inventory or the TSA certification and accreditation 
process. TSA management cannot be assured that IT systems and 
data are adequately secured unless the various activities leading to 
accreditation are performed and the DAA has accepted in writing 
the risks associated with operating the systems. 

These management controls deficiencies increase the risk to TSA's 
IT investments, systems, and data from new threats and 
vulnerabilities for which safeguards have not been implemented. 

According to DHS 4300A Handbook: 

"The initial Risk Assessment is updated and revised and 
becomes the final Risk Assessment as part of the overall 
accreditation process after the controls are implemented 
and tested and the results/corrective actions are 
implemented. Through the development of the final Risk 
Assessment, the definition of the program residual risk can 
be determined for the DAA's acceptance during 
accreditation." 
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Recommendations 

We recommend that the TSA CIO take the following actions for 
TSA activities at LAX: 

Recommendation #15: Improve its physical and environmental 
controls to protect TSA's IT assets from possible accidental 
damage, hazardous conditions, fire, malicious actions, and natural 
disasters. 

Recommendation #16: Use a connection protocol that employs 
secure authentication. 

Recommendation #17: Eliminate or disable unnecessary ports 
from the servers, router, and switches. 

Recommendation #18: Ensure that all IT systems are included in 
TSA's inventory. 

Management Comments and OIG Analysis 

In the comments, TSA concurred with recommendations 15 
through 18. These recommendations will be considered resolved 
but open pending verification of all planned actions. 

USCG Did Not Comply Fully With DHS Sensitive System 
Policies 

USCG could strengthen operational and technical controls for its server, 
router, and switches operating at LAX. For example, USCG back-up 
tapes should be stored in an off-site facility. Additionally, USCG could 
strengthen access controls and ensure that only necessary ports are open 
on its server, router, and switches. 

Collectively, these 
deficiencies could place at risk the confidentiality, integrity, and 
availability of the data stored, transmitted, and processed by USCG at 
LAX. 

Operational Controls 

Onsite implementation of operational controls that did not conform 
fully to DHS policies included USCG IT assets that were not in a 
locked cabinet. Further, USCG needs to better safeguard its 
sensitive data stored on back-up tapes. Unauthorized personnel 
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may have access to USCG IT assets and sensitive data stored in the 
back-up tapes. Figure 8 below illustrates USCG's open-rack pack 
with its back-up tapes stored in the USCG server room. 



To ensure the availability and 
integrity of USCG data, back-up tapes should be stored in an off- 
site facility accessible by authorized personnel only. 



According to the DHS 4300A Handbook: 

"Components shall ensure backup media are stored off site 
in accordance with their business continuity and IT 
Contingency plans." 

Technical Controls 

USCG's implementation of technical controls at LAX that did not 
conform fully to DHS policies include access control and password 
management requirements. 

These deficiencies increase the 
risk that USCG IT systems used at LAX are vulnerable to internal 
attacks. 
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Access Controls 



Excess privilege given to users can put USCG data at risk by 
allowing insiders and others the opportunity to penetrate a system. 
This could result in the loss, theft, or destruction of USCG data. 

Additionally, USCG could strengthen password policies on its 
LAX systems. 



According to the DHS 4300A Handbook: 

"To protect sensitive information and limit the damage that 
can result from accident, error, or unauthorized use, the 
principle of least privilege must be applied. The principle 
of least privilege requires that users be granted the most 
restrictive set of privileges (or lowest clearance) needed for 
performance of authorized tasks — i.e., users should be able 
to access only the system resources needed to fulfill their 
job responsibilities." 

System Patches 

According to our technical scans, 

USCG data 

may be compromised if patches are not installed in a timely 
fashion. 
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Vulnerable Services 



Unnecessary open ports and services increase the risk that USCG's 
systems at LAX may be compromised by malicious users or 
external attacks. 

According to DHS Directive 4300A: 

"Components shall manage systems to reduce 
vulnerabilities through vulnerability testing, promptly 
installing patches, and eliminating or disabling unnecessary 
services, if possible." 

Insecure Communications Protocols 
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According to DHS Directive 4300A: 

"Telnet shall not be used to connect to any DHS computer. 
A connection protocol such as Secure Shell (SSH) that 
employs secure authentication (two factor, encrypted, key 
exchange, etc.) and is approved by the Component shall be 
used instead." 

Management Controls 

We did not find any reportable management control deficiencies 
for the USCG site at LAX. 

Recommendations 

We recommend that the USCG CIO take the following actions for 
USCG activities at LAX: 

Recommendation #19: Store back-up tapes in an off- site facility. 

Recommendation #20: Implement the password policy 
established by DHS Directive 4300A. 

Recommendation #21: Develop a process for implementing 
identified patches in a timely fashion. 

Recommendation #22: Eliminate or disable unnecessary ports 
from the server and router. 

Recommendation #23: Use a connection protocol that employs 
secure authentication. 

Management Comments and OIG Analysis 

In the comments, USCG concurred with recommendations 19 
through 23. These recommendations will be considered resolved 
but open pending verification of all planned actions. 
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Appendix A 

Purpose, Scope, and Methodology 



Purpose, Scope, and Methodology 

This review is part of a program to evaluate, on an ongoing basis, 
the implementation of DHS technical and information security 
policies and procedures at DHS sites. The objective of this 
program is to determine the extent to which critical DHS sites 
comply with the department' s technical and information security 
policies and procedures, according to DHS Directive 4300A and its 
companion document, the DHS 4300A Handbook. 

We coordinated the implementation of this technical security 
evaluation program with the DHS Chief Information Security 
Officer (CISO). We mutually agreed to the wording for the Rules 
of Behavior for the technical testing. 9 Our entrance and exit 
conferences were held with DHS components officials. 

Technical evaluations were performed only after the DHS CISO 
and DHS components official agreed to our negotiated Rules of 
Behavior. These technical evaluations included: 

• Security scans of the servers, routers, and switches 
using various software packages, and 

• Scans to determine whether wireless devices were 
being used by DHS components. 

We reviewed applicable DHS and components' policies and 
procedures, and components' responses to our site surveys and 
technical questionnaires. For example, we used components' 
responses to identify occupied space, server rooms, and 
telecommunications closets. Our onsite review included a physical 
review of components' space and interviews with components 
staff. 

Our technical review included technical scans of security controls 
as well as scans for DHS wireless devices operating at LAX. 
Additionally, we reviewed guidance provided by DHS to the 
components in the areas of patch management, operation systems, 
and wireless security. 

We provided components with briefings concerning the results of 
fieldwork and the information summarized in this report. We 
conducted this review between September 2007 and March 2008. 



9 The Rules of Behavior established the boundaries and schedules for the technical evaluations. 
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Appendix A 

Purpose, Scope, and Methodology 



We performed our work according to the Quality Standards for 
Inspection of the President' s Council on Integrity and Efficiency 
and pursuant to the Inspector General Act of 1978, as amended. 

We appreciate the efforts by DHS management and staff to provide 
the information and access necessary to accomplish this review. 
Our points of contact for this report are Frank Deffer, Assistant 
Inspector General for Information Technology, (202) 254-4100, 
and Roger Dressier, Director for Information Systems and 
Architectures, (202) 254-5441. Major OIG contributors to the 
review are identified in Appendix C. 
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Appendix B 

Management's Response to the Draft Report 



Office of the Chief Information Officer 
U.S. Department of Homeland Sccnrlly 
Wnshinslon, DC 21)528 




Homeland 
Security 



JUN 1 1 ZD08 



MEMORANDUM FOR: Frank Deffer 

Assistant Inspector General, IT Audits 



VIA: 



FROM: 



SUBJECT: 



Richard Mangogna 
Chief Information Officer 

Robert West ^~ vi^w^~t!_ 
Chief Information Security Officer 



Draft Report: Technical Security Evaluation of DHS Activities at Los 
Angeles International Airport - Sensitive Security Information 



The Office of the Inspector General (OIG) requested the DHS Office of the Chief Information 
Officer (OCIO) to prepare a response to their Draft Report: Technical Security Evaluation of DHS 
Activities at Los Angeles International Airport, (A-IT-07-019). The OIG request, dated March 2 1 , 
2008, is provided as Attachment A, The Department's consolidated Component response is 
provided as follows: 

• Custom & Border Protection (CBP) Response Dated April 25, 2008 - Attachment B 

• Immigration & Customs Enforcement (ICE) Response Dated April 18, 2008 - Attachment C 

• Transportation Security Administration (TSA) Response Dated May 1 5, 2008 - Attachment D 

• United States Coast Guard (USCG) Response Dated May 16, 2008 - Attachment E 



cc: Michael Butcher, OCIO Chief of Staff 
Dessadra Lomax, OCIO Audit Liaison 
John Buckley, ISSM CBP 
Gil Vega, ISSM ICE 
Jill Vaughan, ISSM TSA 
Michael Massino, ISSM USCG 
Janine Jones, CBP Audit Liaison 
Claude Lucas, ICE Audit Liaison 
Thomas Feltrin, TSA Audit Liaison 
Mark Kulwicki, USCG Audit Liaison 
Penny McCormack, DHS OIG/GAO Audit Liaison 



Attachments / as stated: 
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Management's Response to the Draft Report 



ATTACHMENT A: 

OIG Transmittal Letter Requesting Comments on Draft Report Dated March 21, 2008 
Technical Security Evaluation of DHS Activities at Lost Angeles International Airport 



MEMORANDUM FOK: 



MAR 2 1 2003 



Charier AntMiong 

Acting < 'hk-t' Insinuation OJTiccr 



i s -. hi rf 

I ;■...!,[ K , , i .. , : . 

Wjilkinxhiti, IHiaUSH 

Homeland 
Security 



Assistant 1 1. . Oeowri 
[N&nmtloa Technology Anttiis 

SUBJECT: t>mfi tic/tan: Technical Security Evahmtim ofiitlS 

Artiviih'S tft h>\ An^i'lfs itttenhttttHlttt Airporf - FOR 
OFFICIAL USE OM.YtFOUtn 

Attached for your review and comment b our (Mi/f ftt'pvrt. t a hmt nl Security 
RmhtatkM o//>//S Aridities tit tea Anxeto tnfmxtthmal Airport - FOUO. Ilw repot 
Identifies measures that can be tuken hy the United Slates [fcnarinicnt of Homeland 
Security lucntmrrcu the implementation of technical and information security policies ami 
procedures at DHS component* located Ltw ^fS* 88 ItHvrmiiioniLl Ann-oil. California. 

W« would appreciate your written continents on the draft report and specific resumes to 
ctich reeoniweiuEsttioiL Your comment* must be received within 3tJ days to he tBttunsd of 
Inclusion in the frnal report. Please furnish us with an electronic copy of your ctmut'tertls 
in addition to li signed ptt|*ercnpy. 

We ttk that you review tlic report ttml iitlvise us. under separate caver. n\ any com-ems 
you have about publicly releasing any in formation contained in the report, hncltKtc in 
your res|w rnse t lie speei lie; e ie Meats of in ft mniit tun I liat you believe shuti Id be excluded lis 
wetl us reasons tor the exclusion. 

Should you have suiy question*, please call inc. Of yCHW staff may contact Etogcr Dressier. 
Director of (nfoninuion Systems und Architectures, at (202) 254-5441 

Attachment 



A-l 
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For Official Use Only 
ATTACHMENT B: CBP Response Dated April 25, 2008 

Draft Report: Technical Security Evaluation of DHS Activities at Los Angeles International Airport 



l-'.S. Ucpdi-Emcm of} l(jln chad Srvurlly 
WitlikikKU»i. W." Uillt 

US. Customs and 
Border Protection 



April 25, 2008 



MI-MORANDtrM 1 Ok PLNMUJl'H MtOKMACK 

acting t)iKt:crok 

I)] IS OECi/tiAtJ AUUn UAlSON 

FROM; EJirector J ■ J ■ 

Office of i*oliey and Manning 

SUIUKCT: U.S. Customs and EtantVr E'rotcetimt Response to the Office of 
lns|iccior General Draft Report entitled 'Technical Security 
Evaluation of Dl l,S Activities at Los An^ctes Entcmntmmd Airport" 
l-OKOl I ICIAI. DSIL ONLY 



Attached is the tJ.S. Customs and UordeF Protection (CBI*) corrective ttclion pltm and 
comments for ytnit review nnd inclusion in the E^cpartmcni ol I Eontel: md Security*?: 
tIJI IS) response I** the Office of Inspector General (Olti) draft report entitled* "Technical 
Security Evaluation of I J] ES Activities at Los ArjgeEes International Airport 1 ' 'llw report 
identifies measures taken by U.S. Cuttuins and Ikuder Protection (CHPJ U> enhance the 
implementation of technical and information security policies and procedures at Los 
Alleles Inlcrnalional Airport (I. AX). California. 

The Old evaluation focused oil howCBP has implemented computer security 
operational* technical and management controls for information (eehnuluej assets at 
LAX The report addresses tooth the streuejhs Rnd weaknesses in the implementation id' 
security policies and proeeduires- 

OK i slurred die actual on-site evaluation work at approximately die same time that (Etc 
Office id" I ii Ion 11 a lion and Technology (01 T) began an initiative io angEuetil Hie 
information lechmilogy (IT) infrastructure al LAX. This scheduled start allowed I Ik: OIG 
auditors to view and evaluate the I AX system both before and after upgrades were 
accomplished. Using before ai>d alkrsiie visits eotibled <>E<: to give CUP credit lor work 
tliat has already been completed. 

In the area of operational controls* OKI found I licit CHI* lacked network and power 
redundancy lu ensure continuity of operations at LAX. The CJKP network outage that 
occurred Oil August 1 l h 2(107. and lasted more I htm 10 Iwurs, was exacerbated by an old 
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For Official Use Only 
ATTACHMENT B: CBP Response Dated April 25, 2008 

Draft Report: Technical Security Evaluation of DHS Activities at Los Angeles Internationa! Airport 



IT iiiirasimtunv ihm did not Iulvc ihm work or power redundttM^. COP Is credited with 
subsequently nddiny circuits, mul hardware mid usla a fishing » new ie3eeE>E]nmiiiii,-i<liims 
close) to oddrowi !■" liick of redundancy pi I >: 

The seven recommendation* eonuiined in [he drurt re|>orl were presented and distitissed ill 
tfteeKti conference, which was huld March 2tJOK. L^urinp ihe discussion C'lll* 
eoticarred Willi iliu recommendations hnl tins since nun-concurred with recommendation 
CUV also iioied lo t >lti siatT during ihe exii conference thai then arc concerns with 
implementing some of ihe recommendations due lo (he enforcement nl'oihcr laws or 
regulations j] i id Elie Airport Authority's purview over (he facility. 

A eorreclivc aclkm plan Eo wldiv^s llie rccomnieitdatinns is iillachcd. fill 1 uimlimwj Lhu 
need lo [real this report na jj Tor Olllcial I Psc Only" document heeausc of the sensitivity 
Of the inlni in;aion contained in Ihc rcpiilt. SL-nsilivc inFurmnlioii hm IhicI! annotated in 
ilic attached document. 

] C yon have any oiECHlkms, please have n member of your slalT uonluet M*. JanicitC Jones 
ai (202) VH-2IG9. 



Attachment 
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For Official Use Only 
ATTACHMENT B: CBP Response Dated April 25, 2008 

Draft Report: Technical Security Evaluation of DHS Activities at Los Angeles International Airport 



CBP R«|»iuh and Correct hre Action Pfaim to ok; DmG Report 
Technical KMurtl}' Hvnluafiun (if WIS Activities ill l.us Anaclcs Inlcinsliiinal Airport 



i J 3 Implement business continuity of operations capability tor CBP facilities 
it l,AX. inel tiding the installation of a kick up power supply. 

Ropim Concur 

::m> concurs with the rcconimciriiilion. fill" at I.AX is currently updating ull CUP I'icld 
('cchnnloiiy Ollicers (PTO) Standard Operating I'roeialLirL-s (SOP) lor 1his facility- U|>daLed 
30Pa and n documented backup tape rotation schedule will he completed and leady for review 
>y June 2. 2(10*. 'I'lie backup solution will aim be tested annually, I ke implementation dale lor 
he updated sol's is still tinscricdulctt. 



'/HP es|Kets to have litis completed by EXt-ember .t L. 200K. 

(tiuiii in I'm ii.n iu>i 2 ; implement xrmifc-cr phy«K«l twrfcr mi i j ii hmmwo l 
prelect Cftf's assets from possible loss, Inch, destruction, accidental damage, ' 
,:niidi<iuiis. lire, malicious actions itnd natural 



controls to 



(espouse; Concur 

CBP concurs vtMi the nwommcnditioti. I~hc upgrade to security locking door cabinets In nil 
I enni na Is is complete. 
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For Official Use Only 
ATTACHMENT B: CBP Response Dated April 25, 2008 

Draft Report: Technical Security Evaluation of DHS Activities at Los Angeles International Airport 



Loeid CUP siu.IT wi 1 1 he conducting n wfslk-lhrmte,h during tlw week of April 14, 2QQ&, with 
I.AWA to document iill deficiencies, A walk through of all terminals will he conducted by 
\pril 30, 200S. to identify die rooms where temperatures exceed 70 degrees end Uie utimherof 
lire extinguishers lh:M have not heen properly maintained. Project plans will he ercalcd for 31 El 
IcHeieiicies by June 2. 2008, to idem My corrective actions, both slioii and long term, and 
A'ilhin the scope of [be LAX Terminal Redevelopment Musler Planning as required The tnrgei 
lates lor addressing each deficiency will be determined once tbc walk-ihmugh is cnmplcied 
md die results arc analyzed. CUP an dej pates Hint corrective actions Tor addressing each 
.Eetieieney will he conipleted by December 3 | t 20D8L 

'.'AW expecls k> drive (his completed hy I>cccmbcr 3 1 . 2008, 

tccmumendalion 3i Ifrstt a connection protocol ibal employs secure nolhcntLcation. 
(espouse: Non-concur 



■TIP ti'is (hereli>re taken no corrective action. 

tecrunuicndation 4t Apply the necessary operating systems npgrades. 
tt spoTisfi Concur 

CRP concurs with the recommendation. CUP is working with (lie LAX Customs Immigration 
Service {CIS) Contractors at I AX to disco msec! and retire the six refugee fingerprint machines 
"rom llw CUP Network as the Operating System is not current and the hardware is QUI dated. 
* 111* estimates that all sis. refugee fingerprint machines at I. AX will he disconnected broai the 
CBP Network on May 21, 2008, and the fingerprinting for arriving refugees at LAX will be done 
'villi the Clll'-approvcd ten prim system starling on May 21 . 20L1K, 

i 3F expects to have this completed l>y Mny 21. 200ft, 

l4ccutiniH L iidatJnn 5: Close all unnecessary porta from the server, router* and switches. 
Ilcspunsc: Concur 

CUP concurs wilh the recommend nt ion. CUP implemented SSll (Secure Shell. TCP port \]2i 
based on an Audit reenmmeadation because TLLNKT (TCP jhi-fi 23) was vulnerable. C'liP feels 
ibis addresses the recommendation. 

CMP expects to have this completed hy May 31 2u(>8. 
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tecum mniduimii A: Upgrade the PWI'L SSI* and perform risk assessments whenever there are 
;iyni1lLiLiH c li utiles In the system, 

tespunsc: Concur 

BP concurs willi the rcraiTfimHiditticffl, find based upon [)l IS guidance, the system CUP 
tllbrmntlon System Security Ofilcer (ISSf)) shall conduct an unnmil seH-assessment lo ensure 
he CUP System Security Ptan (SSP) is current- Tins inst-scirasscssincm tor the l-or West Pield 
•\N (t : WI''l 1 whs tontplelcd April i. .TOON 

Vdditionally. when n sclf-sisscssmcnl identifies than a algollkaol change has taken pt*CC, a 
'ccertifieation til the system shall result- This reeerti Fiendon will include the following ti|xlaied 
'TIP nrtilaets: System Security I Man, Contingency Plea litsk Assessment* Security Test & 
-'valuation (ST '&V.) Plan, and Security Assessment Keport. The scheduled completion d;ue tor 
he Par West / Southern California Pield LAN reeerti Mention Is September 2009, 

.TiP expects to have this completed by September 30, 2flflu. 

RcccimiLiiMidiitiiiMi 7: Regularly perform vulnerability assessments on IT systems containing 
sensitive intoruuiikin. as required by Dl IS Directive 4300A, 

Kcsponsc: Concur 

the CUP Security Ope ration Center (SOC) concurs that systems should be stunned in 
Kcordaiiee with i)HS Ml) 4:UIE1A. CUP SOC conducts .scans at minimum twice annually across 
tie environment, 

DHS S0C has woriwd with the scan vendor to determine B method of 
<camim}> these systems with minimal impact; however it requires close LAN support in the 
;VCtit thai systems become unstable. T his method Will he used until a better solution can be 
Iclcrniincd. 



TIP expects to have this completed by December 31, 20HK. 



'TiP time in 1 in i el Technical Ointments 

;t jp has oo comments. 



2 
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ftfftte of <fct' .■tui+tmrt On »»■* 

I'.S. Drpxrlwnl .*f NoiuH. 

423 I Street, NW 



U.S. Immigration 
and Customs 
Enforcement 



APS 1 fi 2(]rjfi 



MEMORANDUM FOR: kiduud L Skfrmet 
Inspector iiciiunil 

PROM: Julie 1- Myci*/W 

Assistant Seefflnry 

SU BJECT: WeS|Hmse to Recommendations: OKI Draft Ropflffl " Technical 

Security E- va\ uation of D\ ES Activities at Los Angles 
International AirnorV iLnleil Mareli ZOOM. forOU'iem! Use Only 
(FOUOVLaw Ktilorecmeni Sensitive (LBS) 

TtW following responses are provitlcd to the suhjeeE repurl: 

Recommendation ft: "Implement surtHigur physical security to protect lCE*a IT nasals from 
possible loss* theft, destruction, accidental damage, hu/nnlous conditions, line, mnlieious 
actions, ami natural disasters." 

idi i ' ■. I ■-■ ■ ICR concurs. U.S. Immigration ami L usimiis hailoreenicnt (K'|-:j is working 
wtili tbo Special Agent En Char&e, Los Articles (SAC l,A) h lo improve the physical iunl 
technology security situation at Los Angeles Intci national AinjKin. The General Services 
Adnnnistriuion fOSA) has been mgfigu to Konfra new office ${MK», hut Use new location is 
slill unknown, A murkci survey w;ts conducted hy OSA im January 23, 200K to locate a new 
office facility. SAC I .A is 11 wailing the IieijI award for the project hy OS A, ICl- is monitoring 
I lie upgrade project. 

[CI: requests Hiat this recommendation be considered resolved ami closed. 

Kccnm mon&il ion "J: "Provide an adequate HVAC system tor the server room i>r nhiaii u 
waiver f"rtnn the DA A." 

in-: Response: ICB euneum As purl of (ho raquimrnml for new office space, icii has 

requested I hat *iSA identity and require a InciEily with sufficient 1 1 VAC eapncity to meet Lite 

DAA standard, 

f(T rctptCStS ih-H this iceonmiendntinn be eon sidcred resolved and closed. 
Recommendation 10; "Use n connection protocol thai employs secure auiEicniication.'' 
ICE Response: ICE concurs. As ihe network connectivity for this site is pari of the U.S. 

Customs pod Elordcr Proleelioil (CHI 1 ) network, the CUP (>CK> controls clic router lliuI switch 
ranfiguratiotls mid roannycmL-iil protocols. ICl: wilt coordinate with CHI 1 tx'in to Lnhlrcss the 
changes required to supoort eonneetii:>M protiteols i li.ii l allow tor slrongcr Liuthentieaiioo, 
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SUIiJ !■('!■. Response In Recommendations: OKI Draft Report "Technical Security Evaluation 
n nillS Activities lit [.os Angeles Internal iwuil Airport," tinted March 2(H». For Official Use 
Only(l ; OUO)/],aw linfureemciil Sensitive (LES) 
Page 1 of 3 



ICE requests thnl this recommendation ho considered resolved ami opal until ICE anil CUP 
resolve those changes. The estimated completion date is Oecembcr 31, 2(1(114. 

Recommendation 1 1 "Apply the necessary operating system upgrades to (be server." 

ICE Response: ICE concurs. ICE OCTO 15 working to upgrade all older/outdatcd equipment 
to I ho latest hardware and operating system. 

ICE rcqacsts Unit this recommendation be considered resolved and open unlit ICE cerlilies In 
OK j tliat all hardware has been updated. The estimated completion date is December i I 2()(IK. 

Rccoinincndftlion 13: "riliniinatc or disable unnecessary ports from the server and niulor." 

K 'i: Response: ICE concurs. ICli OCIO is working 10 disable « property configure any 
hardware that might have unnecessary ports. 

tCS requests that this lecommendBtioii ho considcretl resolved antl open landing completion ol" 
reconfigu ration. The estimated completion date is September 30, 2(X)ti. 

Reeotninonilalion 1.1: "Establish and maintain the a-quired interconnection security 
ngrceiiieuts." 

ICE Response: ICE does not concur. Old believes Hint an Interconnection Security 
Agreement (ISA) should exist between ICK and CBP beeauso ICL systems traverse the CUP 
network. DHS Management Directive 4.KIHA Section 5.<t.3 sltitcs: "Componeius shall 
dooiimcai inturconncetlons with oilier cxtcnuil networks with an [nicreonucclion Security 
Agreement (ISA). Interconnections bolwceu DHS Com]ionciils shall require an ISA when 
there is a difference in lite seeiirilycalognriznlions lor confidentiality, integrity, and availability 
for the two networks. ISAs shall lie signed by both DA As or by Hie official designated by the 
DAA to have signatory authority." If lliecotifldcminlity, integrity, and availability levels 
(CIA) lor the two net works are ihe same, DHS componenls arc tiol required lo perform ISAs. 
While individual systems may have differing CIA levels, llio network aggregates are almost 
always C- high. I high, and A high. Therefore, no ISA is required, rendering this 
recommend at ion moot 

ICE requests I hat this recommendation be eon side roil resolved and closed. 

Recommendation 1 4: "Include the IT assets at Ihe El Scguiulo Field Office in Ihe syslem 
security plan (SSI') lor the Special Agent in Charge, West Region." 

ICE Response: ICE dues noi concur. The H Segundo Held office is nn ICE Office of 
Investigations Resident Agent in Charge (RAC) office. This RAC office is subordinate to the 
I .OS Angeles Special A (tent in Charge (SAC) area of responsibility, hi I lie regional general 
support system eei'littcation and accreditation package tor the SACs, the ICE Office of 
Investigations only identified the primary SAC local ions within each region. This lype- 
aeereditation strategy is the reason why the El Segundo RAC otTiee is not specifically 
idcmilicd in (ho SSI'. This strategy is consistent with the "Standards for Internal Coiihol in the 
Federal Government" as a valid management control of information systems. 

ICE requests that this recommendation be considered resolved and closed. 



For Official Use (July (I'OUOyi.aw Enforcement Sensitive (1.1-iS) 
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SUBJECT; Response lo Recommendations: OIO IJmft Report "Technical Security LvalunLion 
of DltS Activities ut Los Angeles International Airport." tfuted ivLireli for officii Lso 

Only (POtrOyUw Bnforeemeni Sensitive ILBS) 
I'ltrje 5 of 3 



ICli will provide i Mission Aclion I 1 Ian to tile OIG to identity rissi Foments, timelines lor 
completion and accoumuhlc officials lo addresa those recommendations that tire no! resolved 
mill closed PteaM contact ICE OIG Audit Portfolio Manager Claude t.ucas in (202) SI4-V22A 
if there are iiny questions or concerns regarding Hill response. 



Copy: 
pile 

rrnult Dclfcr, OIG 
Domingo Alvarez, OIO 
Luke J. MeCiiriiiack, lt:>; CIO 
Tnnt DeUinse, ICH OCIO 
Karen Walter™ ire, I of. OCIO 



For ONicial Use Only (HOUOyL™ Lutoreomcnl Sensitive (LBS) 
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SENSITIVE SECURITY INFORMATION <W» °t'<" ■>"■"-"> *"-*«► 



MAY 1 B Traxiiporution 

Security 
Administration 



IN FORM ATION 



MEMORANDUM FOR: Richard L, Skinner 
Inspector General 

Depart mem of Homeland Security (DHS) 

FROM: Kip Hawlty^ 

Assistant Secretory 



SUBJECT; Transportation Security Administration's Response to the 

DHS Office of Inspector General's (OlG) Draft Report. 
Technical Security Evaluation of DHS '* Activities at 
I^w Angeles International Airport, March 2068 

This memorandum constitutes the Transportation Security Administration's (TSA) response 
(0 OlG's Draft Report, Technical Secmity E\wittalti»i of DHS's Activities at Los Angelas 
International Airport. TSA appreciates OIG'J effort on this evaluation and will use the 
findings and recommendation:* to continue (o improve technical security at our Los Angeles 
International (LAX) Airport operation. 



ftnTrlflTTrllfrlt 

OlG evaluated thceffcctivcnesa of icchnical arid information security policies and procedures 
of DHS components (Customs and Border Protection. Immigration and Customs 
Enforcement, live United States Coast Guard And TSA) nt LAX. Specifically* OlG focused 
on how these components implemented computer security, operational, technical, and 
management controls at this site. OIG collected rctevmu documentation, conducted onsile 
inspections and technical tests of internal controls, and interviewed DHS staff. 

As a result of this evaluation, OlG indicates that TSA could strengthen operational, technical, 
and management controls for its servers, router* and switches operating at LAX- For 
example, OTG Slates that TSA could remove excess storage from the server room, implement 
fire suppression, and ensure all information technology {1T> resources arc included in the TSA 
syslcm inventory. 



1 1 'A ft.\ .• \C: I ... i i tit i (i {wiOIbi SM4HH KiWliy l«r«TinlliDti itiil I l ( v-n'.t <! I! i .1 ii r H 1 1 44 tri plrli j S ■ nd 1 9JC. fit fMn tft 

[Hit r rr.- r ii ruv Ur ,\ ji ( rf 11 (■ f 1 1 ; II I :■- rt ■! .■ I I 1 ■: r ' [I U L ir.M V || dtHflt C 'in +* ( fH pi I \: 1 1 mail I 5 3 II, tlltfll wllh lh( 

wriiirn rr rm >i »htl* MHSmBMI t of Ihr T» nip art* Elan tmmtUf A H,.:lnnir.il..,r. or iQI S«r*iiry ciTTrH.iwpomtlaa. 
'■■-*;.:>*.<!:(!) rflatt m ty rtttll Ii TS»3I |tt R»hy *r ■titan. Per trJE. |[*T*nfnii#rH ■fiTnri**, r«WI* <Hiri B »"" H t*vt ratd 
ijrSI'.M". HI lfi*J» Cnt pi-rti l F - - i ' • • 
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S ENSm V E SECU R IT Y IN FORM ATJON 2 

Discussion 

The TSA Chief Information Officer (C10) i through its Chief triform at ton Security Officer 
(CISO) in the IT Security Brunch, works closely with other TSA programs such as the Chief 
Administrative Office (CAO), Office of Reel Estate; the Office of Security, Physical Security 
Division; end Federal Security Directors' (FSD) staffs to ensure thai local TSA offices anil 
administrative space meet physical and environmental security requirements. The IT Security 
Branch and the Office of Security, Physical Security Division also use* internal assessments 
to systematically verify that these requirements arc being met and IT assets are protected. 

These concerted efforts have resulted in an array of technical security controls which 
currently protect TSA IT assets at LAX. Some of the existing controls include: 

• Access control systems on doors which only allow entry to TSA employees 
with authorization; 

• Locking cabinets to securely contain core network equipment: and 

■ Uninterruptible Power Supply (UPS) systems which help condition pewcr and 
serve as backup power in case of power toss to the building. 

TSA continues to improve technical security controls Bt LAX, and llicse improvements arc 
reflected in our attached response to OlO's recommendations. 



WARW*G: fttori ™AlUN**tn,Mif S™k^ Inrarn.Htnn Ikil Li ronlroKrd .irtrffr it OH p»rn IS *nd I SUV M* ptrtd 

, htc itt c rn n.d »- Ik dlulgwl I* p#«ww wlikwi ■ "rweo 1* knah-, ti df n*td I ri 4t t .TR pam I * 1 r d 1 1 it, 1 1 < , „ f., 

„rfiirn prrniWiinnarihr AdmliiSHrHf tl Ibi Yni«iwljel4n SnvMy ftdpdaLiirHkn or ihf SurnirY *rTnti>Lvnplu}n. 
l.r^iftMlfH ^fl#±,i fluv r*iui I In *)Tlt p« jtlj- 4f Hllhir afltar*. Kftr IJ.S. fia . f , ftn^ai : ^ nf ! «. 3 JiiMf il 1 r^v. r C i , £ r n .■ J 
.,J U.SiC. HI .rt«t pn !-«■ is hi* 
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SENSITIVE SECURITY INFORMATION 3 

Transportation Security Adntlnlltralinn (TSA) Response 
Ocparlmenl of Homeland Security (I1HS) Office of inspector General (OIC) ]>ra(t Report: 
Technical Security Evaluation of 
DHS '$ Activities or Las A itgetex IntemafiGnot Airport, 
March 

DHS OIO recommends tltal the TSA Chief Informal™ Office (CIO) lake Ihe following 
actions for TSA activities at Los Angeles International {LAX) Airport: 

Rccommendarinq IS: Improve its physical Bnd environmental controls to protecl TSA'a 
info mm Hon technology (IT) assets from possible accidental damage, hazardous 
conditions, fire, malicious actions, and natural disasters, 

TSA Concurs . TSA concurs with OlO's recommendation and will coniinuc to improve 
physical and environmental controls to protect TSA's IT assets. TSA has already made 
progress implementing this recommendation. For example, DIG noted al the time of its 
evaluation that TSA did not have water sprinklers or fire extinguishers in the server room or 
Icleconununication closets. While fire extinguishers were located nearby al the time of the 
evaluation, TSA has since added fire extinguishers in the server room and each 
telecommunications closel. TSA has also secured the two unbraced shelves located in Ihe 
server room mil has removed non-IT items stored in the telecommunications closets. Other 
IT equipment, which is necessarily stored in the server room fur security reasons, will be 
removed when High-Speed Operational Connectivity (Hi-SOC) deployment at LAX is 
completed. The CIO, through its Chief Information Security Officer and IT Security Branch, 
along with the Office of Security, Physical Security Division, will continue to drive 
improvements in IT security at l.AX and other airports through such activities as internal 
assessments oriT and physical security. 

Recommendation io; Use a connection protocol that employs secure authentication. 

TSA Concurs . TSA concurs and has already begun implementing this recommendation. 
TSA has made configuration changes at l.AX to ensure the connection protocol employs 
secure authentication. 



WARmttG; Tfatt timA <: □ n M*t ScrlllltV* %t EUfll* tflfomiiWen IbH I If f ardr»ll«l uncf rr « Cfrt yirli 15 Hid I flfc *fl pawl at 
!N« atari ro*j ht AtdDttd is rrfr*ftt« w llhMir » "ntrt ID knB*",jif itHntt Id ijtcm pdrn 15 airl IStti.nreBI wlih ihr 
trlntfl j>m»l«i«« thl* AdmlHltfritiH-aMhe TrjQipcrrilloft gNHrily AimMM rjntor »r ihi KHrHirraf TriiifBsrlatlar,. 
I ...ii . mute miy nivlt liclill p*ml[, »r oihfr tdiefl. Far U.S. eevfinn*fRi is* hAHi puiilf flulmaM li purrwf 
'"•> 5 USLC. island li Ctft axrli IS ifld 1SI0. 
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SENSITIVE SECURITY INFORMATION 4 

Recommendation 17: EllminttHordls»b!eunnccess«rypontfromscrvirs,routcr,diid 
switches. 

TSA Concurs . TSA concurs and has already begun implementing this recommendation. 



Ensure thai all IT systems arc Included In I SA's inventory. 

I SA Concurs , TSA concurs and has already begun implementing this recommendation. 
ISA's FY OK Inventory Plan includes making an inventory oITT hardware and adding it to 
Sunflower (TSA's Asscl Management System). LAX is scheduled to be inventoried in April 
2005. 



WAtmXC! Thl. •tari tor,uJ«5c«lil«-S«.rlt) 1nh™ito. M 11 finmlltil w«Ht « CFR i»ni I> J«< n Ns p.n ot 
ir.t feed") intj tK dlKrtMSi fppt«n n t ftllhOhl ■ "n«d to kno*". If drftiwd In « < FR pfl'lt IS snj rSlM*(rpl wMr. tnr 
*Y*lMt" |w»lillfl* *tAt AJmkplH«Mf *f lh* Tf»[Hf &n*H*n KfciirllV- AdfftlnlTlrJllari Br lh S T rr*firj ftl I M^lJUirlillmi. 

r iH.riA rrlt^K tsj'.h.iIi In <ml fMvillJ srr,1l|<# ±rllc,r.. r'Brl.S, K»vtr(im*nl »Atr,f Ln. pulillt tf«lfr>lirc Lp pivtRml 

By 1 IL&C. SSI urf « ITS ppn> 19 «J ii» 
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Homoland Socurtty 



United State* 



DC 20593-0001 
A CG.fl 

Emeu. L«nnnd.L.RlBflr9uaC5.mll 
7100 



MEMORANDUM 



Emm: 



liDMI. D. T. tilcnn 
COMDT (CG-6) 



Ay to CG-62 
nof: CAIT L.[..Ritlcr 
(202) 475-3535 



Mr. Trunk Defter, Assistant Inspector General. Information Technology Audits 
U.S. Department of I homeland Security 



Subj: DRAFT REPORT TECHNICAL SECURITY [{VALUATION OK DHS ACTIVITIES 
AT LOS ANtiKLES INTERNATIONAL AIRPORT - FOR DITICtAl. USE ONLY 
(FOUO) 



Ref: (a) 1)1 IS OIO Memorandu 



Mil r OS 



1 . 'Hit; United States Coast Guard appreciates the opportunity to comment on the draft report of 
iiiulin identitied during an ensile audit which was conducted over thyi period between 
September 2 007 and March 20O8. As requested in reference (a), the United States Coast Ouard 
se to Draft Audit Report - Technical Security Evaluation ofDI IS Activities at Los 
i International Airport is enclosed. 



Copy; COMDT (L'ti-62) 
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USCC RESPONSF. TO DRAFT TECHNOLOGY SECURITY EVALUATION OF DHS 
ACTIVITIES AT LOS ANGELES INTERNATIONAL AIRPORT 



: Store tack-up tapes in an off-site facility. 



YES- 



Rteom mend Brian Utii : Implement the password policy established by 111 IS Directive 43(10 A. 

RcsolutUirt ft20_i 
YES - 

Recommendation #21 : Develop n process for implcmcntine, identified patches in 
a timely fashion. 



YES 



r disable unnecessary ports from the server and router. 



YES 



Recommendation #ZS : Use a connection protocol thai employs secure authentication. 

ltcyli.li.iu 

YES - 



Enclosnrell) 
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Steve Matthews, Manager, Department of Homeland Security, 
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Security, Advanced Technology Division 
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of Homeland Security, Advanced Technology Division 
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ADDITIONAL INFORMATION AND COPIES 

To obtain additional copies of this report, please call the Office of Inspector General (OIG) at (202) 254-4199, 
fax your request to (202) 254-4305, or visit the OIG web site at www.dhs.gov/oig. 



OIG HOTLINE 

To report alleged fraud, waste, abuse or mismanagement, or any other kind of criminal or noncriminal 
misconduct relative to department programs or operations: 

• Call our Hotline at 1-800-323-8603; 

• Fax the complaint directly to us at (202) 254-4292; 

• Email us at DHSOIGHOTLINE@dhs.gov; or 

• Write to us at: 

DHS Office of Inspector General/MAIL STOP 2600, 
Attention: Office of Investigations - Hotline, 
245 Murray Drive, SW, Building 410, 
Washington, DC 20528. 



The OIG seeks to protect the identity of each writer and caller. 



